ansible-lockdown · uk-bolly · Jan 24, 2025 · Jan 14, 2025 · Jan 14, 2025 · Jan 14, 2025
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -596,12 +596,16 @@ rhel_09_653120: true
 
 ### CONTROLS
 
-## Graphical/Gnome interface required
+## Graphical/Gnome interface approved to be present
+rhel9stig_gui_approved: false
+
+# If gui not installed
 rhel9stig_gui: "{{ rhel_09_gnome_present.stat.exists | default(false) }}"
 
 ## SSHD
 rhel9stig_sshd_config_file: /etc/ssh/sshd_config
 rhel9stig_ssh_required: true
+rhel9stig_sshd_config_maxlogins: 10
 rhel9stig_sshd_config:
   banner_file: /etc/issue
   ciphers: "{{ rhel9stig_dod_ciphers }}"

diff --git a/tasks/Cat1/RHEL-09-4xxxxx.yml b/tasks/Cat1/RHEL-09-4xxxxx.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: HIGH | RHEL-09-0411100 | The root account must be the only account having unrestricted access to RHEL 9 system.
+- name: HIGH | RHEL-09-411100 | The root account must be the only account having unrestricted access to RHEL 9 system.
   when:
     - rhel_09_411100
   tags:
@@ -15,13 +15,13 @@
   vars:
     warn_control_id: "HIGH | RHEL-09-411100"
   block:
-    - name: HIGH | RHEL-09-0411100 | AUDIT | The root account must be the only account having unrestricted access to RHEL 9 system.
+    - name: HIGH | RHEL-09-411100 | AUDIT | The root account must be the only account having unrestricted access to RHEL 9 system.
       ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
       changed_when: false
       check_mode: false
       register: rhel9stig_uid_zero_accounts_except_root
 
-    - name: HIGH | RHEL-09-0411100 | WARN | The root account must be the only account having unrestricted access to RHEL 9 system.
+    - name: HIGH | RHEL-09-411100 | WARN | The root account must be the only account having unrestricted access to RHEL 9 system.
       when:
         - rhel9stig_uid_zero_accounts_except_root is defined
         - rhel9stig_uid_zero_accounts_except_root.stdout | length > 0

diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml
@@ -84,6 +84,7 @@
 - name: "MEDIUM | RHEL-09-211030 | PATCH | The graphical display manager must not be the default target on RHEL 9 unless approved."
   when:
     - rhel_09_211030
+    - not rhel9stig_gui_approved
   tags:
     - RHEL-09-211030
     - CAT2
@@ -1063,9 +1064,14 @@
     name: quagga
     state: absent
 
+# Note if groups installed via ansible previously https://bugzilla.redhat.com/show_bug.cgi?id=1620324.
+# More efficient to remove as a list but conditional required a loop
 - name: "MEDIUM | RHEL-09-215070 | PATCH | A graphical display manager must not be installed on RHEL 9 unless approved."
   when:
     - rhel_09_215070
+    - not rhel9stig_gui_approved
+    - rhel9stig_gui
+    - "item in ansible_facts.packages"
   tags:
     - RHEL-09-215070
     - CAT2
@@ -1075,8 +1081,13 @@
     - V-257837
     - NIST800-53R4_CM-6
   ansible.builtin.package:
-    name: "xorg*common"
+    name: "{{ item }}"
     state: absent
+  loop:
+    - "xorg*common"
+    - "workstation-product-environment"
+    - "graphical-server-environment"
+    - "gnome-desktop"
 
 - name: "MEDIUM | RHEL-09-215075 | PATCH | RHEL 9 must have the openssl-pkcs11 package installed."
   when:

diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml
@@ -981,14 +981,7 @@
     modification_time: preserve
     owner: root
     path: "{{ item }}"
-  loop:
-    - /sbin/auditctl
-    - /sbin/aureport
-    - /sbin/ausearch
-    - /sbin/autrace
-    - /sbin/auditd
-    - /sbin/rsyslogd
-    - /sbin/augenrules
+  loop: "{{ audit_bins }}"
 
 - name: "MEDIUM | RHEL-09-232040 | PATCH | RHEL 9 cron configuration directories must have a mode of 0700 or less permissive."
   when:
@@ -1133,6 +1126,8 @@
   ansible.builtin.file:
     mode: 'u-x,go-wx'
     path: /etc/group-
+  failed_when: discovered_group_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_group_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access."
   when:
@@ -1148,6 +1143,8 @@
   ansible.builtin.file:
     mode: 'ugo-rwx'
     path: /etc/gshadow
+  failed_when: discovered_gshadow_file_exists.state not in '[ file, absent ]'
+  register: discovered_gshadow_file_exists
 
 - name: "MEDIUM | RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access."
   when:
@@ -1163,6 +1160,8 @@
   ansible.builtin.file:
     mode: 'ugo-rwx'
     path: /etc/gshadow-
+  failed_when: discovered_gshadow_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_gshadow_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access."
   when:
@@ -1193,6 +1192,8 @@
   ansible.builtin.file:
     mode: 'u-x,go-wx'
     path: /etc/passwd-
+  failed_when: discovered_passwd_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_passwd_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access."
   when:
@@ -1208,6 +1209,8 @@
   ansible.builtin.file:
     mode: 'ugo-rwx'
     path: /etc/shadow-
+  failed_when: discovered_shadow_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_shadow_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root."
   when:
@@ -1253,6 +1256,8 @@
   ansible.builtin.file:
     owner: root
     path: /etc/group-
+  failed_when: discovered_group_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_group_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232105 | PATCH | RHEL 9 /etc/group- file must be group-owned by root."
   when:
@@ -1268,6 +1273,8 @@
   ansible.builtin.file:
     group: root
     path: /etc/group-
+  failed_when: discovered_group_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_group_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232110 | PATCH | RHEL 9 /etc/gshadow file must be owned by root."
   when:
@@ -1283,6 +1290,8 @@
   ansible.builtin.file:
     owner: root
     path: /etc/gshadow
+  failed_when: discovered_gshadow_file_exists.state not in '[ file, absent ]'
+  register: discovered_gshadow_file_exists
 
 - name: "MEDIUM | RHEL-09-232115 | PATCH | RHEL 9 /etc/gshadow file must be group-owned by root."
   when:
@@ -1298,6 +1307,8 @@
   ansible.builtin.file:
     group: root
     path: /etc/gshadow
+  failed_when: discovered_gshadow_file_exists.state not in '[ file, absent ]'
+  register: discovered_gshadow_file_exists
 
 - name: "MEDIUM | RHEL-09-232120 | PATCH | RHEL 9 /etc/gshadow- file must be owned by root."
   when:
@@ -1313,6 +1324,8 @@
   ansible.builtin.file:
     owner: root
     path: /etc/gshadow-
+  failed_when: discovered_gshadow_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_gshadow_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232125 | PATCH | RHEL 9 /etc/gshadow- file must be group-owned by root."
   when:
@@ -1328,6 +1341,8 @@
   ansible.builtin.file:
     group: root
     path: /etc/gshadow-
+  failed_when: discovered_gshadow_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_gshadow_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232130 | PATCH | RHEL 9 /etc/passwd file must be owned by root."
   when:
@@ -1373,6 +1388,8 @@
   ansible.builtin.file:
     owner: root
     path: /etc/passwd-
+  failed_when: discovered_passwd_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_passwd_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232145 | PATCH | RHEL 9 /etc/passwd- file must be group-owned by root."
   when:
@@ -1388,6 +1405,8 @@
   ansible.builtin.file:
     group: root
     path: /etc/passwd-
+  failed_when: discovered_passwd_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_passwd_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232150 | PATCH | RHEL 9 /etc/shadow file must be owned by root."
   when:
@@ -1433,6 +1452,8 @@
   ansible.builtin.file:
     owner: root
     path: /etc/shadow-
+  failed_when: discovered_shadow_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_shadow_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232165 | PATCH | RHEL 9 /etc/shadow- file must be group-owned by root."
   when:
@@ -1447,7 +1468,9 @@
     - NIST800-53R4_CM-6
   ansible.builtin.file:
     group: root
-    path: /etc/shadow
+    path: /etc/shadow-
+  failed_when: discovered_shadow_hyphen_exists.state not in '[ file, absent ]'
+  register: discovered_shadow_hyphen_exists
 
 - name: "MEDIUM | RHEL-09-232170 | PATCH | RHEL 9 /var/log directory must be owned by root."
   when:
@@ -1693,14 +1716,7 @@
   ansible.builtin.file:
     owner: root
     path: "{{ item }}"
-  loop:
-    - '/sbin/auditctl'
-    - '/sbin/aureport'
-    - '/sbin/ausearch'
-    - '/sbin/autrace'
-    - '/sbin/auditd'
-    - '/sbin/rsyslogd'
-    - '/sbin/augenrules'
+  loop: "{{ audit_bins}}"
 
 - name: "MEDIUM | RHEL-09-232225 | PATCH | RHEL 9 audit tools must be group-owned by root."
   when:
@@ -1716,14 +1732,7 @@
   ansible.builtin.file:
     group: root
     path: "{{ item }}"
-  loop:
-    - '/sbin/auditctl'
-    - '/sbin/aureport'
-    - '/sbin/ausearch'
-    - '/sbin/autrace'
-    - '/sbin/auditd'
-    - '/sbin/rsyslogd'
-    - '/sbin/augenrules'
+  loop: "{{ audit_bins }}"
 
 - name: "MEDIUM | RHEL-09-232230 | PATCH | RHEL 9 cron configuration files directory must be owned by root."
   when: